b'U.S. Department of Agriculture\n Office of Inspector General\n Financial and IT Operations\n         Audit Report\n\n\n\n   SECURITY OVER INFORMATION\n TECHNOLOGY RESOURCES AT THE\nNATIONAL AGRICULTURAL STATISTICS\n            SERVICE\n\n\n\n\n               Report No.\n               26099-1-FM\n               May 2001\n\x0c                  UNITED STATES DEPARTMENT OF AGRICULTURE\n                                  OFFICE OF INSPECTOR GENERAL\n\n                                      Washington D.C. 20250\n\n\n\n\nDATE:                May 14, 2001\n\nREPLY TO\nATTN OF:      26099-1-FM\n\nSUBJECT:      Security Over Information Technology Resources at the National Agricultural\n              Statistics Service\n\nTO:           R. Ronald Bosecker\n              Administrator\n              National Agricultural Statistics Service\n\n\nThis report presents the results of our audit of the Security Over Information Technology\nResources at the National Agricultural Statistics Service (NASS). The report identifies\nweaknesses in NASS\xe2\x80\x99 ability to protect its critical information technology resources.\nNASS has corrected a substantial number of the problems found, and has aggressively\nimplemented plans to correct the remaining areas of concern.\n\nYour response to our draft report is included in Exhibit A, with excerpts incorporated in the\nfindings and recommendations section of the report. Based on the information provided in\nthe response, we have reached management decision on all recommendations in the\nreport. Please follow your internal procedures in forwarding documentation of final action\nto the Office of the Chief Financial Officer.\n\nWe appreciate the courtesies and cooperation extended to us during this audit.\n\n        /s/\n\n\nROGER C. VIADERO\nInspector General\n\x0c                                    EXECUTIVE SUMMARY\n\n\n\n\n                                            We identified weaknesses in National\n          RESULTS IN BRIEF                  Agricultural Statistics Service\xe2\x80\x99s (NASS) ability\n                                            to adequately protect sensitive information from\n                                            inappropriate disclosure, and critical operations\n              from disruption. Significant information security weaknesses were identified\n              during our review including inadequately restricted access to sensitive data.\n              Although this and other identified weaknesses placed critical NASS\n              operations at risk of disruption of service and inappropriate disclosures,\n              prompt action by NASS has mitigated a majority of the weaknesses\n              identified. NASS relies on its information technology (IT) infrastructure to\n              supply market-sensitive data on commodities to the agricultural community.\n              NASS\xe2\x80\x99 ability to accomplish this mission would be jeopardized if its IT\n              infrastructure were compromised.\n\n                   To test the vulnerability of NASS to the threat of internal and external\n                   intrusions, we conducted an assessment of selected NASS networks, using\n                   a commercially available software product, which is designed to identify\n                   vulnerabilities associated with various operating systems. Our assessments,\n                   performed in November and December 2000, identified 71 high and\n                   medium risk IT security vulnerabilities1 and numerous low risk vulnerabilities.\n                   These vulnerabilities could have allowed an attacker to gain complete\n                   administrative privileges of NASS\xe2\x80\x99 network. Once this administrative\n                   privilege is established, an attacker could obtain, modify or destroy critical\n                   NASS data. During our fieldwork, NASS officials advised us that they took\n                   immediate action to implement the changes and enhancements necessary to\n                   resolve each of the high and medium risk vulnerabilities we identified. NASS\n                   also took immediate action to protect its internal network by ensuring the\n                   proper configuration of its firewall. Further, NASS began efforts to conduct\n                   its own scans of its systems on a periodic basis to identify and mitigate\n                   known vulnerabilities.\n\n                   Additionally, we found that NASS had not developed a configuration program\n                   for its systems. A configuration program ensures that all systems are\n                   configured alike by routinely updating all systems with security patches and\n                   other software updates. We believe this corporate level approach to system\n1\n High-risk vulnerabilities are those that provide access to the computer, and possibly the network of computers. Medium-risk\nvulnerabilities are those that provide access to sensitive network data that may lead to the exploitation of higher risk\nvulnerabilities. Low -risk vulnerabilities are those that provide access to sensitive, but less significant network data.\n\nUSDA/OIG-A/26099-1-FM                                                                                                 Page i\n\x0c            configuration, along with regularly scheduled vulnerability assessments and\n            remediation of the risks discovered, would substantially enhance the security\n            of NASS\xe2\x80\x99 computer systems.\n\n            We found that NASS needs to improve its management of IT resources, and\n            ensure compliance with existing Federal requirements for managing and\n            securing IT resources. NASS has not (1) identified their mission essential\n            infrastructure (MEI) or conducted the necessary risks assessments of their\n            networks as required by Presidential Decision Directive (PDD) \xe2\x80\x93 63; (2)\n            adequately documented network security in their security plan as required by\n            the Office of Management and Budget (OMB) Circular A-130; (3) prepared\n            for potential service disruptions by developing a comprehensive contingency\n            plan; or (4) properly certified to the security of their major systems. We found\n            that NASS\xe2\x80\x99 managers, who are responsible for ensuring adequate security,\n            have not evaluated the adequacy of their computer-based controls, or fully\n            identified risks to their systems.\n\n            Our audit disclosed that NASS had weak controls over access to its\n            sensitive data and systems at both the SSO\xe2\x80\x99s and headquarters. Because\n            SSO\xe2\x80\x99s were allowed to configure their systems, there was little oversight by\n            headquarters personnel to ensure that access controls were functioning\n            properly.    Headquarters personnel stated that the access control\n            weaknesses were overlooked in the daily operation of the computer system.\n\n            The types of weaknesses we found in our audit made it possible for persons\n            to inappropriately modify or destroy sensitive data or computer programs or\n            inappropriately obtain and disclose confidential information. In today\xe2\x80\x99s\n            increasingly interconnected computing environment, inadequate access\n            controls can expose agency information and operations to attacks from\n            remote locations by individuals with minimal computer or\n            telecommunications resources and expertise. NASS officials have begun to\n            take corrective action to correct the weaknesses identified.\n\n                                          We recommended that NASS:\n KEY RECOMMENDATIONS\n\n        \xe2\x80\xa2   Ensure corrective actions are taken on the vulnerabilities we identified.\n        \xe2\x80\xa2   Periodically scan its network for vulnerabilities and track corrective actions to\n            assure remediation.\n\n        \xe2\x80\xa2   Adopt a corporate level approach to include establishing minimum security\n            guidelines for the various operating systems used by NASS. Periodically\n            assess those settings and correct those that have been misapplied.\n        \xe2\x80\xa2   Ensure NASS compliance with PDD-63 and OMB requirements by\n            identifying NASS\xe2\x80\x99 MEI; performing a vulnerability assessment of the MEI; and\n            establishing a remediation plan for correcting the vulnerabilities.\nUSDA/OIG-A/26099-1-FM                                                                Page ii\n\x0c        \xe2\x80\xa2   Update the NASS Security Plan to include all areas required by OMB\n            A-130, and provide more comprehensive information, as required.\n        \xe2\x80\xa2   Document a comprehensive contingency plan and initiate procedures for\n            periodic testing of the contingency plan.\n        \xe2\x80\xa2   Correct identified access control weaknesses.\n\n\n                                     The NASS agreed with our recommendations\n    AGENCY RESPONSE                  and has initiated significant corrective actions.\n\n\n\n\n                                     We concurred with the NASS\xe2\x80\x99 proposed\n        OIG POSITION                 corrective actions   and      have reached\n                                     management decision on all recommendations.\n\n\n\n\nUSDA/OIG-A/26099-1-FM                                                         Page iii\n\x0c                                         TABLE OF CONTENTS\n\nEXECUTIVE SUMMARY............................................................................................................i\n   RESULTS IN BRIEF ...............................................................................................................i\n   KEY RECOMMENDATIONS ................................................................................................ii\n   AGENCY RESPONSE..........................................................................................................iii\n   OIG POSITION........................................................................................................................iii\nTABLE OF CONTENTS ...........................................................................................................iv\nINTRODUCTION.........................................................................................................................1\n   BACKGROUND......................................................................................................................1\n   OBJECTIVES..........................................................................................................................2\n   SCOPE .....................................................................................................................................2\n   METHODOLOGY ....................................................................................................................2\nFINDINGS AND RECOMMENDATIONS................................................................................4\n   CHAPTER 1.............................................................................................................................4\n   VULNERABILITIES EXPOSE NASS SYSTEMS TO THE RISK OF MALICIOUS\n   ATTACKS FROM INTERNAL AND EXTERNAL THREATS .........................................4\n   FINDING NO. 1 ........................................................................................................................4\n   RECOMMENDATION NO. 1 .................................................................................................7\n   RECOMMENDATION NO. 2 .................................................................................................7\n   RECOMMENDATION NO. 3 .................................................................................................8\n   RECOMMENDATION NO. 4 .................................................................................................8\n   CHAPTER 2.......................................................................................................................... 10\n   NASS INFORMATION SECURITY PROGRAM MANAGEMENT NEEDS\n   IMPROVEMENT................................................................................................................... 10\n   FINDING NO. 2 ..................................................................................................................... 10\n   RECOMMENDATION NO. 5 .............................................................................................. 13\n   RECOMMENDATION NO. 6 .............................................................................................. 13\n   RECOMMENDATION NO. 7 .............................................................................................. 14\n   RECOMMENDATION NO. 8 .............................................................................................. 14\n   RECOMMENDATION NO. 9 .............................................................................................. 15\n\nUSDA/OIG-A/26099-1-FM                                                                                                               Page iv\n\x0c   RECOMMENDATION NO. 10............................................................................................ 15\n   RECOMMENDATION NO. 11............................................................................................ 16\n   CHAPTER 3.......................................................................................................................... 17\n   NASS LOGICAL ACCESS CONTROLS NEED IMPROVEMENT. ............................ 17\n   FINDING NO. 3 ..................................................................................................................... 17\n   RECOMMENDATION NO. 12............................................................................................ 18\n   RECOMMENDATION NO. 13............................................................................................ 19\n   RECOMMENDATION NO. 14............................................................................................ 19\n   EXHIBIT A \xe2\x80\x93 NASS Response To Draft Report........................................................... 21\nABBREVIATIONS ................................................................................................................... 29\n\n\n\n\nUSDA/OIG-A/26099-1-FM                                                                                                          Page v\n\x0c                             INTRODUCTION\n\n                                       Information security is critical for any\n       BACKGROUND                      organization that depends on information\n                                       systems and computer networks to carry out its\n                                       mission or business. Computer security risks\n         are significant, and they are growing. The dramatic expansion in computer\n         interconnectivity and the exponential increase in the use of the Internet are\n         changing the way our government, the nation, and much of the world\n         communicate and conduct business. However, without proper safeguards,\n         these developments pose enormous risks that make it easier for individuals\n         and groups with malicious intentions to intrude into inadequately protected\n         systems and use such access to obtain sensitive information, commit fraud,\n         disrupt operations, or launch attacks against other organizations\xe2\x80\x99 sites.\n         Further, the number of individuals with computer skills is increasing, and\n         intrusion, or \xe2\x80\x9chacking\xe2\x80\x9d techniques are readily available and relatively easy to\n         use. This environment poses a threat to the sensitive and critical operations\n         of the National Agricultural Statistics Service (NASS) and puts it at high risk.\n\n           NASS administers the U.S. Department of Agriculture\xe2\x80\x99s (USDA) program of\n           collecting, compiling, and disseminating current national and state\n           agricultural statistics.    NASS\xe2\x80\x99 primary activities are the collection,\n           summarization, and analysis of data for publication of accurate and reliable\n           agricultural forecasts and estimates. Statistical data developed by NASS on\n           the nation\xe2\x80\x99s agriculture are essential for the orderly development of\n           production and marketing decisions by farmers, ranchers, and agribusiness.\n           This data is also used for defining and carrying out agricultural policy related\n           to farm program legislation, commodity programs, agricultural research, rural\n           development, and related activities.\n\n           NASS issues the official state and national agricultural production and\n           marketing estimates relating to (1) the number of farms and land in farms,\n           acreage, yield and production of grains, grain stocks, hay, oilseeds, cotton,\n           some fruits and vegetables, floriculture and other specialty crops; (2)\n           inventories and production of hogs, cattle, sheep and wool, catfish, trout,\n           poultry, eggs, dairy products; (3) prices received by farmers; (4) prices paid\n           by farmers for inputs and services, cold storage stocks, agricultural labor and\n           wage rates; and (5) other agricultural subjects. Information for the official\n           estimates is gathered from many sources, using a variety of means.\n\n           The information is entered through NASS\xe2\x80\x99 network of Local Area Networks\n           (LAN), and uploaded through data communications to a mainframe computer\n\nUSDA/OIG-A/26099-1-FM                                                              Page 1\n\x0c          where data files are stored and processed. Data from the surveys are\n          edited on the mainframe computer, or are edited and summarized on\n          personal computers at the State Statistical Offices\xe2\x80\x99 (SSO). The SSO\xe2\x80\x99s also\n          transmit computer data containing survey indicators and recommended\n          estimates to Headquarters using data communications. Corn, cotton,\n          soybeans, sweet oranges, winter wheat, and other spring wheat have been\n          designated as \xe2\x80\x9cspeculative\xe2\x80\x9d commodities. Data for these commodities are\n          encrypted and handled under special security procedures in the \xe2\x80\x9clockup\xe2\x80\x9d\n          facility, where the official statistical estimates are generated, because of the\n          sensitivity of the data and its potential impact on the futures market prices of\n          the commodities involved.\n\n          For \xe2\x80\x9cnon-speculative\xe2\x80\x9d commodities that have been classified as sensitive,\n          data communications are not encrypted and the estimates are finalized\n          before the \xe2\x80\x9clockup.\xe2\x80\x9d\n\n                                      The objectives of this audit were to (1) assess\n        OBJECTIVES                    the threat of penetration of NASS data systems\n                                      by intruders; (2) determine the adequacy of\n                                      security over the Local and Wide Area\n         Networks; and (3) assess NASS management\xe2\x80\x99s role in ensuring compliance\n         with the Office of Management and Budget (OMB) and Departmental\n         requirements related to information technology (IT) security.\n\n                                        We tested the NASS computer network to\n           SCOPE                        identify vulnerabilities that could enable\n                                        unauthorized users to access sensitive data\n                                        stored on or transmitted over NASS\xe2\x80\x99 systems.\n          We conducted our assessment at the NASS Headquarters in Washington,\n          D.C., as well as conducting limited testing at 4 of 45 SSOs. The sample of\n          SSOs was selected based on the type of connectivity used by the SSOs, and\n          other considerations. We used commercial software applications to assist\n          us in our security reviews of over 100 NASS network components.\n\n          The audit was conducted in accordance with Government Auditing\n          Standards. Our testing was performed between October 2000 and January\n          2001.\n\n\n\n\n                                       To accomplish our audit objectives,            we\n      METHODOLOGY                      performed the following procedures:\n\n\n              \xe2\x80\xa2   We reviewed IT security policies and procedures issued by the Office\n\n\nUSDA/OIG-A/26099-1-FM                                                             Page 2\n\x0c                 of the Chief Information Officer (OCIO) and NASS.\n\n             \xe2\x80\xa2   We interviewed NASS officials responsible for managing the\n                 agency\xe2\x80\x99s computer systems.\n\n             \xe2\x80\xa2   We conducted vulnerability scans of the systems at NASS\xe2\x80\x99\n                 Headquarters and four SSOs.\n\n             \xe2\x80\xa2   We performed detailed testing of NASS\xe2\x80\x99 entity-wide security\n                 program, both physical and logical access controls, segregation of\n                 duties, and service continuity at the NASS headquarters by analyzing\n                 records and controls established to ensure that the security of the\n                 NASS\xe2\x80\x99 computer systems was sufficient.\n\n\n\n\nUSDA/OIG-A/26099-1-FM                                                        Page 3\n\x0c                    FINDINGS AND RECOMMENDATIONS\n\n                              VULNERABILITIES EXPOSE NASS SYSTEMS TO\n    CHAPTER 1                 THE RISK OF MALICIOUS ATTACKS FROM\n                              INTERNAL AND EXTERNAL THREATS\n                                             Our vulnerability scans of selected NASS\n           FINDING NO. 1                     systems disclosed severe weaknesses in the\n                                             system security administration. Specifically, we\n                                             found that (1) scans of selected NASS systems\n                                             disclosed a large number of vulnerabilities that\ncould be exploited from both inside NASS\xe2\x80\x99 network, and externally; and (2) system settings\ndid not provide for optimum security, nor were they uniform throughout NASS. OMB\nCircular A-130 requires agencies to assess the vulnerability of information system assets\nidentify threats quantify the potential losses from threat realization; and develop\ncountermeasures to eliminate or reduce the threat or amount of potential loss. NASS had\nnot taken sufficient actions to identify and eliminate security vulnerabilities within its\nsystems. As a result, NASS\xe2\x80\x99 systems and networks are vulnerable to cyber-related\nattacks, jeopardizing the integrity and confidentiality of NASS\xe2\x80\x99 critical economic data.\n\nWe conducted our assessment of selected NASS networks between November and\nDecember 2000. We utilized two commercial off-the-shelf software products, one\ndesigned to identify over 800 vulnerabilities associated with various operating systems that\nuse Transmission Control Protocol/Internet Protocol (TCP/IP)2, and the other, which tests\nsystem settings in Novell networks.\n\nTCP/IP System Vulnerabilities\n\nWe conducted our vulnerability scans at five NASS locations. These scans included 104\nNASS network components. We also tested the firewall established by NASS as\nprotection between NASS\xe2\x80\x99 systems and the departmental telecommunications network.\nOur assessments revealed 71 high and medium-risk vulnerabilities.3 In addition, we\nidentified 209 low-risk vulnerabilities. The high and medium vulnerabilities, if left\nuncorrected, could allow unauthorized users access to critical and sensitive NASS data.\nAdditionally, the large number of low vulnerabilities identified, indicates the need to\nstrengthen system administration.\n\n2\n  The TCP/IP is a series of protocols originally developed for use by the US Military and now used on the Internet as the primary\nstandard\n3\n          for the movement of data on multiple, diverse platforms , such as Windows NT and UNIX.\n  High-risk vulnerabilities are those that provide access to the computer, and possibly the network of computers. Medium-risk\nvulnerabilities are those that provide access to sensitive network data that may lead to the exploitation of higher risk\nvulnerabilities. Low -risk vulnerabilities are those that provide access to sensitive, but less significant network data.\n\n\n\nUSDA/OIG-A/26099-1-FM                                                                                                   Page 4\n\x0cDetailed below are examples of the high-risk vulnerabilities revealed during our scans of\nthe NASS systems:\n\n    \xe2\x80\xa2   A commonly used program to transfer electronic mail contains a vulnerability that\n        could allow an attacker to gain complete administrative privileges of the system.\n        Once this administrative privilege is established, an attacker could obtain, modify\n        or destroy critical NASS data.\n\n    \xe2\x80\xa2   Programs used on web servers to provide enhanced functionality could allow an\n        attacker to execute commands on the server that could provide them with such\n        critical information as the server\xe2\x80\x99s password file. The attacker could use this\n        password file to obtain or destroy other data on the server.\n\n    \xe2\x80\xa2   We scanned NASS\xe2\x80\x99 systems from outside the firewall to assess the level of\n        protection the firewall was providing. Our tests showed that the firewall was not\n        properly configured to protect the NASS internal network.\n\nBased upon our tests, a management alert dated November 21, 2000, was issued to\nNASS officials describing the vulnerabilities detected and the severity of each. The\nmanagement alert also reported the incorrect configuration of NASS\xe2\x80\x99 firewall. On\nDecember 6, 2000, NASS advised us that they had implemented the changes and\nenhancements necessary to resolve each of the high and medium-risk vulnerabilities\nreported in the management alert. Additionally, NASS took immediate action to correct\nthe problems with their firewall configuration. On February 26, 2001, NASS informed us\nthat they will evaluate commercially available tools for performing vulnerability assessments\nfor the UNIX, Novell, and NT operating systems during fiscal year (FY) 2001. NASS plans\nto review licensing opportunities with other departmental agencies. NASS plans to acquire\nthe recommended packages after October 1, 2001, either independently or as part of a\nlarger USDA group.         Once the recommended tools for performing vulnerability\nassessments is obtained, NASS will conduct vulnerability assessments on a quarterly\nbasis beginning in January 2002\n\nWe found that NASS had not developed a configuration management program for its\nsystems. A configuration management program ensures that all systems are configured\nalike by routinely updating all systems with recent security patches and other software\nupdates. We believe this corporate level approach to system configuration, along with\nregularly scheduled vulnerability assessments and remediation of the risks discovered,\nwould substantially enhance the security of NASS\xe2\x80\x99 computer systems.\n\n\n\n\nNovell System Policies\n\nWe conducted a detailed assessment of the security of the Novell networks at five sites.\nOur assessment software allowed us to compare NASS\xe2\x80\x99 established security practices to\n\n\nUSDA/OIG-A/26099-1-FM                                                                Page 5\n\x0cthe actual settings on the Novell systems. We also compared the system\xe2\x80\x99s security\nsettings to the software product\xe2\x80\x99s \xe2\x80\x9cbest practices settings,\xe2\x80\x9d which are based on standard\npractices from a wide variety of government and private institutions. The software product\nreports weaknesses that may leave the system open to potential threats in the following\nareas (1) account restrictions; (2) password strength; (3) access control; (4) system\nmonitoring; (5) data integrity; and (6) data confidentiality.\n\nOur assessments disclosed significant weaknesses in account restrictions, password\nstrength, and access controls; the areas that define a user\xe2\x80\x99s ability to access the system.\nOur tests also showed the need for a configuration management program, as discussed\nabove. We found that the Novell security settings were not consistently applied throughout\nthe agency, varying from one site to another. For example, six grace logins 4 were allowed\nat two sites tested, while at two other sites, only one grace login was allowed. Some\nadditional weaknesses we found included:\n\n           \xe2\x80\xa2    User accounts were hidden from the system administrator. This raises concern\n                because hidden accounts are often used as a means to set up a \xe2\x80\x9cback door\xe2\x80\x9d to\n                the server. These accounts hold administrator access privileges, which are the\n                most trusted users on a Novell system and allow complete control of the system.\n                Additionally, because of these privileges, unauthorized users can modify system\n                logs to hide their activities from the system administrator. This condition was\n                noted at three of the five sites we visited.\n\n           \xe2\x80\xa2    An excessive number of persons with administrator authorities were found at\n                three of the five locations tested. We found 8 of 102 users, 5 of 97 users, and\n                36 of 729 users were admin equivalent at three NASS sites tested.\n                Additionally, at one NASS field office, we noted that NASS had failed to remove\n                user accounts belonging to another agency, including some accounts with\n                administrator privileges.\n\n           \xe2\x80\xa2    A large number of inactive accounts that had not been disabled were noted on\n                all five networks tested. For example, almost 80 percent of all accounts on one\n                network were inactive, while 24 percent of 625 user accounts were inactive at\n                another site tested. User accounts that become inactive, but not disabled,\n                provide opportunities for unauthorized users to gain access to the network. An\n                attacker can try different passwords on these inactive accounts and attempt to\n                gain access to the network. Once that access is gained, unauthorized activity\n                cannot be traced to the responsible person.\n\nIn addition to the vulnerabilities identified by our scans, our audit work identified other\nvulnerabilities affecting the security of the NASS networks:\n\n      \xe2\x80\xa2    Our review of 127 login IDs showed the use of alphanumeric characters for\n           passwords was not required, and a minimum password length less than 6\n\n4\n    Grace logins refer to the number of times the user can log into a system without changing their password after it has expired.\n\nUSDA/OIG-A/26099-1-FM                                                                                                    Page 6\n\x0c      characters was found for 16 of the 127 login IDs. A password made up of a\n      combination of letters and numbers make passwords more difficult for unauthorized\n      users to guess. Additionally, when only alpha characters are allowed in a password,\n      users are more likely to assign common words or names as passwords making\n      them easier for an unauthorized user to guess. Finally, passwords less than six\n      characters in length are easier for an unauthorized user to guess.\n\n  \xe2\x80\xa2   The feature to lockup a computer after failed login attempts was not enabled. Our\n      testing showed that the system allowed unlimited attempts to guess the correct\n      password. With this feature disabled, unauthorized persons could use a password\n      cracker to attempt to access the system. At the completion of our audit, NASS\n      personnel enabled the lockout feature so the system would lock after three\n      unsuccessful login attempts.\n\n                                         Ensure corrective actions are taken on all high\n RECOMMENDATION NO. 1                    and medium vulnerabilities identified on the\n                                         assessment reports provided to NASS officials.\n\n            Agency Response\n\n            NASS has implemented solutions to resolve all of the high-risk\n            vulnerabilities, and has mitigated all medium-risk vulnerabilities.\n\n            OIG Position\n\n            Management decision has been reached on this recommendation.\n\n                                         Assess low vulnerabilities to identify trends and\n RECOMMENDATION NO. 2                    initiate action on those areas that together or in\n                                         aggregate could lead to more serious\n                                         vulnerabilities.\n\n            Agency Response\n\n            NASS has resolved over 50 percent of the 209 vulnerabilities through both\n            direct and indirect action. NASS continues to evaluate solutions for the\n\n\n\n\nUSDA/OIG-A/26099-1-FM                                                              Page 7\n\x0c           low-risk vulnerabilities that have not been resolved. There are some low-risk\n           vulnerabilities that NASS acknowledges and accepts the risks.\n\n           OIG Position\n\n           Management decision has been reached on this recommendation.\n\n                                    Obtain software to enable NASS to scan its\n RECOMMENDATION NO. 3               entire network, develop procedures to assure\n                                    periodic assessments are performed; and\n                                    methodology is developed to track and assure\n       correction of disclosed vulnerabilities.\n\n           Agency Response\n\n           The OCIO has solicited interest from agencies regarding the acquisition of\n           software for vulnerability testing. NASS has agreed to participate in this\n           acquisition and has money available for an October 1, 2001, acquisition.\n           NASS will begin vulnerability testing of our network within 90 days of product\n           acquisition, therefore about January 1, 2002. Once the initial testing is\n           complete, NASS will continue to conduct the tests on a quarterly basis.\n           NASS will strive to resolve all high vulnerabilities within a week and medium\n           vulnerabilities within three weeks. NASS will report high and medium risk\n           vulnerabilities that are not resolved within 30 days to the OCIO.\n\n           OIG Position\n\n           Management decision has been reached on this recommendation.\n\n                                Adopt a corporate level approach to\n RECOMMENDATION NO. 4           configuration management. Develop a policy\n                                establishing    minimum     security    setting\n                                guidelines for the various operating systems\n       used by NASS. Periodically assess those settings and correct those that\n       have been misapplied.\n\n           Agency Response\n\n           NASS has just completed a merging process that enables our\n           implementation of centralized configuration management. NASS has\n           standardized some security setting guidelines and will continue to review\n           and standardize configuration parameters during May. NASS is adopting\n           the \xe2\x80\x9cBest Practices\xe2\x80\x9d for most of the configurable security settings. NASS will\n           continue with this review and implementation during May.\n\n           NASS is in the process of reviewing the roles that may allow us to define a\n\n\nUSDA/OIG-A/26099-1-FM                                                            Page 8\n\x0c          specific role for specific responsibilities.    This should allow better\n          management and more flexibility in identifying and monitoring the various\n          groups\xe2\x80\x99 activities because they would only be capable of performing required\n          functions. NASS plans to implement roles by July 1, 2001.\n\n          OIG Position\n\n          Management decision has been reached on this recommendation.\n\n\n\n\nUSDA/OIG-A/26099-1-FM                                                         Page 9\n\x0c                      NASS INFORMATION SECURITY PROGRAM\n CHAPTER 2\n                      MANAGEMENT NEEDS IMPROVEMENT\n\n                                              NASS needs to improve its management of IT\n            FINDING NO. 2                     resources, and ensure compliance with existing\n                                              Federal requirements for managing and\n                                              securing IT resources. NASS has not (1)\n                                              conducted the necessary risks assessments of\ntheir networks; (2) adequately planned for network security and contingencies; or (3)\nproperly certified to the security of their major systems. This occurred because NASS has\nnot placed a priority on OMB Circular A-130 requirements such as risk assessments,\nsecurity plans, contingency planning, and system certifications. NASS relies on its IT\ninfrastructure to supply market-sensitive data on commodities to the agricultural economy.\nNASS\xe2\x80\x99 ability to accomplish its mission may be jeopardized if it cannot properly secure its\nIT infrastructure.\n\nThe OMB, Circular A-130, Appendix III, \xe2\x80\x9cSecurity of Federal Automated Information\nResources,\xe2\x80\x9d established a minimum set of controls for agencies\xe2\x80\x99 automated information\nsecurity programs, including certifying to the security of any systems that maintain sensitive\ndata, establishing contingency plans and recovery procedures in the event of a disaster,\nand establishing a comprehensive security plan. Further, PDD 63, \xe2\x80\x9cPolicy on Critical\nInfrastructure Protection,\xe2\x80\x9d requires agencies to assess the risks to their networks and\nestablish a plan to mitigate the identified risks.\n\nRisk Assessments\n\nRisk assessments, as defined by OMB, are a formal, systematic approach to assessing\nthe vulnerability of information system assets identifying threats quantifying the potential\nlosses from threat realization; and developing countermeasures to eliminate or reduce the\nthreat or amount of potential loss. Additionally, PDD 63 requires agencies to proactively\nmanage and protect its MEI. According to PDD 63, MEI is defined as the systems, the\nhardware the systems runs on, the personnel who operate the systems, the buildings where\nthe systems reside, and users of the systems. Specific requirements of PDD 63 include\n(1) identifying MEI; (2) assessing the vulnerability of the MEI; (3) establishing a remediation\nplan for correcting vulnerabilities; and (4) creating a system for responding to significant\ninfrastructure attack.\n\nWe found that NASS had not identified threats to network security by performing the\nrequired risk assessments of its networks. Our testing revealed that NASS submitted a list\nof its sensitive systems to OCIO as part of the Department\xe2\x80\x99s efforts to identify its\ninfrastructure, but no further action was taken by NASS.              We found that a\n\n\n\n\nUSDA/OIG-A/26099-1-FM                                                                Page 10\n\x0ccomprehensive security assessment has not been performed of the NASS infrastructure\nand network since 1997. Additionally, we found that an assessment of NASS\xe2\x80\x99 critical\nsystems has not been performed.\n\nUntil updated risk assessments are completed, NASS cannot be assured that all of the\nrisks attributable to its mission critical systems are identified and that appropriate steps\nare taken to mitigate these risks.\n\nSecurity Plans\n\nOur review disclosed that NASS had not prepared security plans that adequately\naddressed the requirements of OMB Circular A-130. OMB requires agencies to prepare a\nsecurity plan to provide an overview of the security requirements of their systems.5\nSecurity plans should define who has responsibility for system security, who has authority\nto access the system, appropriate limits on interconnectivity with other systems, and\nsecurity training of individuals authorized to use the system. In addition, USDA\nDepartmental Manual 31406 requires each agency to submit an automated data\nprocessing security plan or an annual update to an existing plan to the OCIO.\n\nThe current NASS Security Plan does not include a designation of the agency official\nresponsible for security over NASS\xe2\x80\x99 major applications. Some requirements were clearly\nmissing from the plan, such as the Incident Response Capability and System\nInterconnection. Additionally, in discussing NASS\xe2\x80\x99 major applications, the plan did not\naddress (1) application rules; (2) specialized training; (3) personnel security; (4)\ncontingency planning; (5) technical controls; (6) information sharing; and (7) public access\ncontrols, all of which are required by OMB Circular A-130. As a result, NASS cannot be\nassured it has adequately addressed its security needs and that security policies and\npractices have become an integral part of its operations.\n\nContingency Plans and Backup/Recovery Plans\n\nAlthough NASS had a contingency plan in place, it was not sufficiently comprehensive to\nensure an adequate recovery in the event of a disaster or other major disruption in service.\nWe also found that NASS did not regularly backup its system files, and had not adequately\ntested its contingency plan. As a result, NASS cannot be assured that its network can be\nquickly and effectively recovered to accomplish its mission in the event of an emergency.\n\nOMB Circular A-130 requires that agencies plan for how they will continue to perform their\nmission or recover from the loss of application support in the event of a system failure.\nWhile contingency plans can be written to make a distinction between the recovery from\nsystem failure and recovery of business operations, OMB Circular A-130 states that\nreliance on information technology and the push toward e-government makes the return to\nmanual processing an unrealistic option to disaster recovery. For this reason, an agency\n\n5\n The Computer Security Act of 1987 also requires that security plans be developed for all Federal computer systems that contain\nsensitive information.\n6\n DM 3140-1.1, Part 9.\n\nUSDA/OIG-A/26099-1-FM                                                                                             Page 11\n\x0cshould have procedures in place to protect information resources and minimize the risk of\nunplanned interruptions, and a plan to recover critical operations should interruptions occur.\nAlthough often referred to as disaster recovery plans, controls to ensure service continuity\nshould address the entire range of potential disruptions from minor interruptions to major\nnatural disasters. Further, OMB A-130 states that contingency plans be tested; as\nuntested or outdated contingency plans create the false sense of the ability to recover in a\ntimely manner.\n\nNASS uses the Business Continuity Plan prepared during its Year 2000 (Y2 K) conversion\neffort as its contingency plan. However, the Y2K plan was not comprehensive, as it\nfocused entirely on the preparation of monthly activity reports, and did not address potential\nservice disruptions beyond Y2K. For example, the plan did not identify resources that\nwould be needed to perform critical, time sensitive operations in the event of a disaster.\nAlso, NASS operations were not prioritized for reestablishing the most critical operations\nfirst in the event of an emergency. Without this detail, the contingency plan cannot be\nadequately tested and therefore would be of little use in minimizing the disruption of system\nfailure.\n\nWhile NASS has back-up and off-site storage procedures in place; due to problems with\nits tape archival system, the off-site storage procedures have not been in effect since June\n2000. If faced with an emergency, NASS would not have access to up-to-date information\nand would lose months worth of data. Management officials were aware of the problem,\nbut did not address it until our audit. NASS is currently working to reload old tapes and\nreconcile them to the database. NASS was unable to provide a date when this process\nwill be completed.\n\nSystem Certification/Authorization\n\nNASS has never performed system certifications and authorizations as required by OMB\nCircular A-130. Without adequate certification and authorization of the 26 NASS critical\nsystems, it cannot be assured that adequate security controls have been established for\nthose systems and that appropriate controls are operating effectively. NASS systems are\nused to collect, compile and analyze data for agricultural forecasts and estimates which are\ncritical to its operations and to the agricultural economy.\n\nOMB A-130 requires agencies to provide a written authorization by a management official\nfor the system to process information. Management authorization is based on an\nassessment of management, operational, and technical controls. Authorization is\nsupported by a technical evaluation7, risk assessment, contingency plan, and signed\n\n\n\n\n7\n    The technical evaluation may also be referred to as a certification review.\n\nUSDA/OIG-A/26099-1-FM                                                               Page 12\n\x0crules of behavior. Re-authorization should occur after any significant change in the system,\nbut at least every 3 years. It should be done more often where there is high risk and\npotential magnitude of harm.\n\nIn summary, the lack of risk assessments, adequate security and contingency plans, and\nsystem certifications for such key operations as the compilation and analysis of data for\nagricultural forecasts and estimates places NASS operations at high risk. NASS\nmanagement needs to take an active role in IT security to ensure that the security\nvulnerabilities disclosed by our audit are timely and effectively corrected.\n\nOur review of the Department\xe2\x80\x99s FY 2000 Federal Managers\xe2\x80\x99 Financial Integrity Act\n(FMFIA) Report showed that NASS and the Office of the Chief Financial Officer did not\nreport the lack of an adequate IT security management program. This material weakness\nshould have been reported under Section 2 of the FMFIA Report.\n\n                                           Develop a time-phased corrective action plan to\n  RECOMMENDATION NO. 5                     address the weaknesses noted in this report.\n                                           Provide quarterly updates to the OCIO on the\n                                           status of corrective actions until all material\nproblems are remediated.\n\n\n               Agency Response\n\n               NASS plans to have centralized configuration management for security\n               implemented by October 1, 2001. We believe this will lead to a significant\n               reduction in the number of security concerns currently identified. NASS will\n               provide quarterly updates to the OCIO on June 30 and September 30, 2001\n               detailing the current implementation status for each of the recommendations\n               presented in the OIG audit report.\n\n               OIG Position\n\n               Management decision has been reached on this recommendation.\n\n                                           Take actions to comply with PDD-63 and OMB\n  RECOMMENDATION NO. 6                     requirements by identifying NASS\xe2\x80\x99 MEI;\n                                           performing a vulnerability assessment of the\n                                           MEI; and establishing a remediation plan for\ncorrecting the vulnerabilities.\n\n               Agency Response\n\n               NASS will identify its mission essential infrastructure (MEI), assess the\n               vulnerabilities associated with the MEI and establish a remediation plan for\n               correcting vulnerabilities. NASS plans to be in full compliance with PDD-63\n\n\nUSDA/OIG-A/26099-1-FM                                                              Page 13\n\x0c          and OMB Circular A-130 by August 1, 2001.\n\n          OIG Position\n\n          Management decision has been reached on this recommendation.\n\n                                      Perform risk assessments of NASS critical\n RECOMMENDATION NO. 7                 systems, and update the NASS Security Plan to\n                                      include all areas required by OMB A-130 and\n                                      the Department.\n\n          Agency Response\n\n          NASS will update the NASS Security Plan so that it includes all areas\n          required by OMB Circular A-130 and the Department by August 1, 2001.\n          NASS will perform a risk assessment of critical systems by September 1,\n          2001.\n\n          OIG Position\n\n          Management decision has been reached on this recommendation.\n\n                                      Resolve the archival tape problems and resume\n RECOMMENDATION NO. 8                 off-site storage practices.\n\n\n\n          Agency Response\n\n          A backup system has been operational since October 1999. The system\n          performs backups on a daily basis. In June 2000, we experienced a\n          hardware failure that resulted in restoring the database back to March 2000.\n          Some data was inaccessible following this failure. During this time period,\n          the tapes normally retained off-site were kept in-house to aid the file\n          restoration process. Steps were taken and the backup process was\n          modified to retain a backup copy of the database. Since NASS recovered\n          from this failure backups have been completed according to the established\n          routine. This routine includes the system files. A review of the logs is\n          completed daily to ensure that tape backups have occurred as scheduled.\n          Off-site storage activities have returned to the normal.\n\n\n\n\nUSDA/OIG-A/26099-1-FM                                                        Page 14\n\x0c          OIG Position\n\n          Management decision has been reached on this recommendation.\n\n                                       Prepare a comprehensive contingency plan and\n RECOMMENDATION NO. 9                  initiate procedures for annual testing of the plan.\n\n\n          Agency Response\n\n          NASS has prepared a contingency plan for the lockup area. The hardware\n          and software required for implementing the lockup contingency plan have\n          been acquired. The plan is scheduled to be tested during the next lockup.\n\n          There is a team currently working on a contingency plan for the state offices\n          and headquarters LAN environment. They held their first meeting in\n          Washington during the week of April 2. Draft recommendations should be\n          available for review by May 1. NASS plans to begin implementing a\n          contingency plan for the states and headquarters during the summer of 2001.\n          There will be aspects of this implementation that will be budget dependent\n          and will be implemented as budget is available. The initial implementation of\n          this plan will be tested in February 2002. The plan will be tested annually in\n          February thereafter.\n\n          OIG Position\n\n          Management decision has been reached on this recommendation.\n\n                                       Establish a program to perform system\n RECOMMENDATION NO. 10                 certification/authorizations of all NASS critical\n                                       systems in compliance with OMB A-130.\n\n\n          Agency Response\n\n          NASS feels that we evaluate current systems on an annual basis to ensure\n          that adequate security controls are in place. NASS has reviewed OMB\n          Circular A-130 and will perform the system certifications and authorizations\n          required. NASS plans to be in full compliance with A-130 by August 1, 2001.\n\n\n\n          OIG Position\n\n          Management decision has been reached on this recommendation.\n\n\n\nUSDA/OIG-A/26099-1-FM                                                           Page 15\n\x0c                                     Until appropriate corrective action is completed,\n RECOMMENDATION NO. 11               report the lack of an effective IT security\n                                     management program as a material weakness\n                                     in the NASS FMFIA report.\n\n          Agency Response\n\n          NASS plans to have an effective IT security management program\n          implemented and operational by September 30, 2001. However, if there are\n          any portions of the program that have not been implemented at that time, or\n          are questionable, NASS will report them under Section 2 of the Federal\n          Managers\xe2\x80\x99 Financial Integrity Act (FMFIA ) Report.\n\n          OIG Position\n\n          Management decision has been reached on this recommendation.\n\n\n\n\nUSDA/OIG-A/26099-1-FM                                                        Page 16\n\x0c                                NASS LOGICAL ACCESS CONTROLS NEED\n    CHAPTER 3\n                                IMPROVEMENT.\n                                          NASS did not sufficiently ensure that only\n           FINDING NO. 3                  authorized users had access to its networks;\n                                          that users were properly authorized to access\n                                          network resources; and that users\xe2\x80\x99 access\n                                          authority was not excessive as it relates to the\nperformance of their job functions. Because SSO\xe2\x80\x99s were allowed to configure their\nindividual systems, there was little oversight by headquarters personnel to ensure that\naccess controls were functioning properly. Headquarters personnel stated that the access\ncontrol weaknesses were overlooked in the daily operation of the computer system. In\ntoday\xe2\x80\x99s increasingly interconnected computing environment, inadequate access controls\ncan expose NASS\xe2\x80\x99 critical data and operations to attacks of unauthorized disclosure,\nmodification, or deletion of data by individuals with minimal computer or\ntelecommunications resources and expertise.\n\nAccess controls should provide reasonable assurance that computer resources (data files,\napplication programs, and computer-related facilities and equipment) are protected\nagainst unauthorized modification, disclosure, loss or impairment. Such controls include\nphysical controls, such as keeping computers in locked rooms to limit physical access, and\nlogical controls, such as security software programs designed to prevent or detect\nunauthorized access to sensitive files. During our review, we noted sufficient controls over\nthe physical access to NASS\xe2\x80\x99 systems; however, we identified weaknesses in the logical\ncontrols over the systems. The lack of logical access controls exposes the agency\xe2\x80\x99s\nsystems and data to unauthorized use, modification or deletion.\n\nWe found NASS systems contained accounts that belonged to users who were no longer\nemployed. Further, we noted instances of user accounts and passwords being shared by\nnumerous employees. These vulnerabilities occurred in some of NASS\xe2\x80\x99 most sensitive\nsystems.\n\nOur review of NASS\xe2\x80\x99 user accounts found two accounts still active for users no longer\nemployed by NASS. We found one active account with system administrator8 privileges\nthat belonged to an employee who retired from NASS in May 2000. NASS subsequently\ncontracted with this employee to work on a test database, but had not removed the user\xe2\x80\x99s\nadministrative access, which included the ability to modify NASS\xe2\x80\x99 critical Estimates\nDatabase. Another NASS account, used to access its data at the National Information\nTechnology Center, belonged to another retired NASS employee. We found that this\naccount has been accessed after the retirement date of this employee. On investigating,\nNASS officials found that a current employee was using the account for routine NASS\n\n\n8\n    System Administrator privileges provide complete control and modification ability to the system.\n\n\n\nUSDA/OIG-A/26099-1-FM                                                                                  Page 17\n\x0cbusiness. They took immediate steps to ensure the account was properly converted for use\nby the current user.\n\nWe also identified 150 generic user accounts on the NASS LAN. Of the 150 generic\naccounts, 44 had access to NASS\xe2\x80\x99 critical Estimates Database. NASS allows the use of\nthese accounts to avoid having to reestablish user-specific accounts for every statistical\nestimate reporting period. Generic accounts make it impossible for system administrators\nto track the actions of users in the event that inappropriate or malicious action is taken.\nNASS established procedures to require that the accounts be disabled when not in use\nand that they be assigned to an individual user; however, we found that NASS had not\nfollowed these procedures and allowed the accounts and the passwords to be shared by\nseveral users. Of the 150 generic accounts, NASS had only disabled 2 of them, even\nthough our tests showed that 85 of the 150 accounts had expired passwords. Over half of\nthe expired passwords were more than a year old, with 31 of them dating back as far as\n1992. Further, these accounts were routinely established with global access privileges,\nwhich included the ability to create, modify, and erase files, and were not changed\naccording to users\xe2\x80\x99 access requirements. Finally, one of these generic user accounts had\nthe ability to grant rights to other users. The user of this account could circumvent the\nsystem administrator\xe2\x80\x99s ability to limit the access controls of these generic accounts.\n\n\n                                          Immediately delete all accounts and access\n RECOMMENDATION NO. 12                    authorities, including application, program, and\n                                          remote access for all separated employees.\n\n             Agency Response\n\n             NASS reviewed all user accounts on the Headquarters servers in\n             Washington, D.C. and is in the process of reviewing the servers located in\n             other offices. NASS deactivated 54 of the 150 generic accounts that had not\n             been used since early 2000. These accounts will remain deactivated until\n             September 2001 at which time they will be reviewed. If there is not a request\n             for one of these accounts to be reactivated prior to September 2001, the\n             account will be deleted from the server. The generic accounts that remained\n             active are used on a frequent basis. We will document who has access to\n             each generic account and change the password whenever someone no\n             longer requires rights.\n\n             NASS evaluated all user IDs on the system and found a number of them that\n             had become dormant over time. NASS disabled 21 of these accounts.\n             These accounts will be deleted in September if there is no activity. NASS\n             prefers to initially disable accounts because there may be files that will be\n             required by the replacement as part of their job function. NASS will establish\n             a policy, by June 1, requiring that accounts be disabled for 90 days and then\n             deleted.\n\n\n\nUSDA/OIG-A/26099-1-FM                                                             Page 18\n\x0c             Only current NASS employees have accounts on the NASS Access Server\n             that provides remote access to the NASS environment.\n\n             The ability for any non-supervisory user to grant rights to other users will be\n             removed by May 1, 2000. NASS is in the process of removing the ability that\n             certain NASS user IDs had that enabled them to grant rights to specific\n             areas. As of May 1, 2001, only a centralized group will be able to grant\n             rights. The requests for the modification of rights will need to be sent from a\n             supervisor to the Technical Services Branch\xe2\x80\x99s official mailbox. This will\n             centralize and coordinate the granting of rights and will provide a paper trail\n             of the requests.\n\n             OIG Position\n\n             Management decision has been reached on this recommendation.\n\n                                    Reduce the number of shared accounts to those\n  RECOMMENDATION NO. 13             needed and used on a regular basis. In\n                                    addition, disable accounts not in use, and adjust\n                                    the rights assigned to those accounts to each\nuser\xe2\x80\x99s needs. Where shared accounts are needed, set expiration periods to a short\ntimeframe to guard against misuse.\n\n             Agency Response\n\n             NASS is reviewing all shared accounts. A balance needs to be reached\n             which provides flexibility for the usage of these accounts while simultaneously\n             maintaining a high level of security. The Agency will begin disabling these\n             accounts, in June, when they are not in use. NASS will limit the number of\n             concurrent logins to one for these accounts during May.\n\n             OIG Position\n\n             Management decision has been reached on this recommendation.\n\n                                          Review user privileges to ensure they are\n RECOMMENDATION NO. 14                    restricted to access required in the performance\n                                          of the users job.\n\n\n\n\nUSDA/OIG-A/26099-1-FM                                                              Page 19\n\x0c          Agency Response\n\n          NASS has reviewed user privileges as part of the merging process. NASS\n          is trying to implement containers (groups) representing the required\n          activities. Privileges, or rights, are now being assigned to the container and\n          staffs are included in the container. This makes it much easier to see what\n          privileges are available and who has them. Staff are simply added or\n          deleted from the container as assignment rotations occur and the privileges\n          associated with the container remain unchanged.\n\n          NASS is in the process of evaluating and modifying the methodology\n          currently used for rights. This activity will take time. Current access\n          requirements must be reviewed and decisions made on the proper\n          implementation so that users are not inadvertently denied access to\n          information required for task completion. There are currently over 16,000\n          rights assigned. While this may imply a high level of security it is nearly\n          unmanageable and very difficult to find exactly who has which rights to what.\n          NASS is implementing numerous activities that will ensure that privileges are\n          granted correctly. These activities are being implemented as part of the\n          centralized configuration management.\n\n          OIG Position\n\n          Management decision has been reached on this recommendation.\n\n\n\n\nUSDA/OIG-A/26099-1-FM                                                          Page 20\n\x0cEXHIBIT A \xe2\x80\x93 NASS Response To Draft Report\n\n\n\n\nNOTE: Portions of this response have been redacted due to inclusion of\nsensitive information.\n\n\n\nUSDA/OIG-A/26099-1-FM                                                    Page 21\n\x0cUSDA/OIG-A/26099-1-FM   Page 22\n\x0cUSDA/OIG-A/26099-1-FM   Page 23\n\x0cUSDA/OIG-A/26099-1-FM   Page 24\n\x0cUSDA/OIG-A/26099-1-FM   Page 25\n\x0cUSDA/OIG-A/26099-1-FM   Page 26\n\x0cUSDA/OIG-A/26099-1-FM   Page 27\n\x0cUSDA/OIG-A/26099-1-FM   Page 28\n\x0c                          ABBREVIATIONS\n\n\nFMFIA     Federal Managers\xe2\x80\x99 Financial Integrity Act\nFY        Fiscal Year\nIT        Information Technology\nLAN       Local Area Networks\nMEI       Mission Essential Infrastructure\nNASS      National Agricultural Statistics Service\nOCIO      Office of the Chief Information Officer\nOMB       Office of Management and Budget\nPDD       Presidential Decision Directive\nSSO       State Statistical Offices\nTCP/IP    Transmission Control Protocol/Internet Protocol\nUSDA      United States Department of Agriculture\nY2K       Year 2000\n\n\n\n\nUSDA/OIG-A/26099-1-FM                                       Page 29\n\x0c'